Technology Project 2: Better Browsing Control

In your first technology project you created a GPG key and then uploaded it to the public keyservers, making it possible for you to improve your communication privacy by sending and receiving encrypted email. For this project you will be setting up a secure connection between your computer and the mainframe computers at Columbia, then you will be instructing your web browser to route your web traffic through this secure connection. This will accomplish two things. First, you will block other users on your network, or the ISP on your local internet connection, from snooping on your network traffic. This means that other coffee shop customers sitting near you cannot hijack your connection to various web sites and that no one between your computer and the Columbia servers will be able to tell what sites you are browsing. Second, by sending your web traffic through the Columbia mainframe you will be mixing it with the web traffic of others at the University, making it much more difficult to determine whose traffic is whose.

Step 1: Connect to Columbia

In this step you are going to create a secure connection or "tunnel" to the Columbia Unix cluster. You can use this same general procedure with any other machines to which you may have access, whether that is a box you leave at home, a web hosting account to run a web site, or anyone else who gives you ssh access. All you need is an SSH client program.

OS X (Mac) or Linux users

If you use the OS X or Linux operating systems, you are in luck! A standard ssh client is already installed on your machine. On Linux machines you should be able to find a program called "terminal" or "command line" in you standard application menu. On OS X you can find the terminal program in your Applications directory under "Utilities". The terminal program is a general purpose text environment for running any number of different programs and commands, of which ssh is only one. While a text-based environment may not suit all tasks, you will see in this case how it enables you to accomplish some tasks very simply that would otherwise require multiple programs and steps.

Once you have opened the terminal application simply enter this command "ssh -D 7070 uni@cunix.columbia.edu" where "uni" is your own UNI, e.g. abc1234. When you hit enter it will try and connect to the Columbia CUNIX cluster. Assuming your network connection is working, the next thing you see will be a message asking if you wish to accept the host key for the CUNIX machine. Hit enter to accept it and then you will be asked for your Columbia UNI and password. Log in normally and it should complete setting up the tunnel and return you to a blinking cursor with no further chatter. Now you are logged in to the CUNIX machines. From here you could run other programs on the CUNIX machines, but that would be for another lesson. For this exercise, simply leave your terminal window open and move on to step two.

Windows users

Windows, unfortunately, does not come with an ssh client by default so we need to download and install one before we can connect to the Columbia computers with it. The client we are going to install is called "PuTTY" and can be downloaded from here. Once you have downloaded and run the installer, launch PuTTY. Now we need to configure PuTTY to connect to the Columbia CUNIX mainframe. CuIT has instructions for this here.

Your goal here is to create a new session, enter the Columbia server information, and save the session for future use. Follow these steps:

3) Under "Saved Sessions" enter "Columbia" or "CUNIX" or any other name that will help you remember what this
connection is for later.

4) Under the "Category" menu on the left, click on the "Connection" menu list and then the "SSH" menu
underneath it.

5) Click on "Tunnels" in the "SSH" menu.

6) Under "Add new forwarded port:" enter 7070

7) Leave the "Destination" field blank but select the 'Dynamic' option underneath it.

8) Click the "Add" button to add this port.

9) Click "Save" to save all these settings.

10) Click on "Open" to open your new connection to the CUNIX servers.

11) Enter your UNI and password when prompted.

12) Once connected the tunnel is open and you can move to step two. After you are finished using the tunnel, type logout and press Enter.

Step 2: Tell your browser to use the secure tunnel

As part of connecting to CUNIX in step one we told ssh to set up a take an address or "port" on your local machine and forward it to the CUNIX machine that you logged into. In particular we forwarded port "7070". This created a "SOCKS proxy," between your machine's port 7070 and the Columbia computer. We now want to tell your web browser to send all its requests for websites through the proxy port. The particular way to do this depends on which browser you are using.

As a first step for all browsers visit https://duckduckgo.com/?q=what+is+my+ip+address and write down the IP address associated with your browsing. Later, when you are using the proxy, you can return to that page and observe that your apparent IP address has changed.

Firefox

In Firefox, open your "Preferences" window. That should either be under the "Edit" or the "Tools" menu. In the Preferences window, click on "Advanced" at the very top then on the "Network" tab underneath it. The first item there is "Connection: configure how Firefox connects to the web", which is what you want to do. Click on the "Settings" button right next to that text.

You should now have a new popup window named "Configure Proxies to Access the Internet". You are almost there. Click on the "manual proxy configuration" option and then enter the following settings. For "SOCKS Host" enter "localhost" and for "Port" right next to it enter "7070".

You're done. You can close those configuration windows and you should be ready to check your IP address again with https://duckduckgo.com/?q=what+is+my+ip+address. If the apparent IP address known to the server has changed, you are proxying your web traffic. If not, something has gone wrong. Take a look at the proxy settings again. Make sure that manual settings box is selected and check that your ssh connection is still running in either PuTTY or the terminal.

When you are back to a network you trust and wish to stop proxying your traffic, simply return to the same configuration menu in Firefox and change "Manual proxy configuration" back to "no proxy configuration". Otherwise Firefox will continue trying to access the web through your proxy even after you are no longer connected, which will lead to an inability to access any websites.

If you find this process is too cumbersome for frequent use, you can consider third party browser extensions like FoxyProxy, to shortcut the process.

Chrome

Chrome has no capability to set proxy settings natively, so you need to rely on third party plugins to make any proxy connection without having to change your system-wide network settings. Thankfully, there is a free software plugin called proxy-switchy that you can use. Download and install that then give it the following settings:

Protocol: Socks5

Host: 127.0.0.1

Port: 7070

Internet Explorer and Safari

Both of these browsers are so tightly embedded in the operating system that the only way to use a proxy with them is to change the system-wide network settings. If you wish to do that the settings to use should be:

Protocol: Socks5

Host: 127.0.0.1

Port: 7070

but I offer no guarantees.

Firefox is the simplest browser to use when proxying web traffic. If you are not already using it, you could consider downloading and using it specifically for proxyed connections. That way you can simply leave the proxy settings in Firefox on all the time and use whatever other browser you wish for non-proxyed web activity.

Step 3: Proof

Once you have successfully proxied your web connection through the CUNIX machines you are ready to demonstrate your success here. While your browser is still proxied simply add a comment to this page saying that you are finished. The comment will look no different to you but the logs for this website, like the logs of every website, will record your IP address. If you are successfully using your new proxy all we will see is a connection from one of the CUNIX machines. Otherwise we will see exactly where else you are connecting from.

Finished. Proxy Switchy did not work for my computer for some reason. I used Proxy SwitchySharp instead.
-- LeonHuang - 25 Mar 2017

Finished with Firefox. The path is slightly different to above for version 59.0.1 - in "tools" menu select "options" then at the bottom of the page is a heading "Network Proxy" where I could select "settings".

Running Chrome on Windows 10 does not let you use proxy-switchy by default because Chrome on Windows 10 disables the Netscape Plugin Application Programming Interface (NPAPI) which proxy-switchy was developed with, allegedly for security reasons. If you run Chrome on Windows 10, there are at least four possible solutions:

1. Configure Chrome to run in compatibility mode for Windows 7 and add the proxy-switchy extension (untested by me, reported working online).

2. Find another proxy extension that works. Proxy SwitchySharp? should do it. I suspect this is what happened to LeonHuang? .

3. Use a different browser. Firefox is the easiest one. (I am still trying to find a good text-based browser.)

4. Change the system-wide network settings. (I've used this before. Should still work like it does for IE/Safari. This may be preferable if you have a lot of other traffic outside of the browser that you don't want shouting your real IP address.)

When I try to connect to CUNIX and type in the command, it won't let me connect (message: "ssh: connect to host columbia.edu port 22: Connection refused" and my macbook name). Any idea why that might be?

This site is powered by the TWiki collaboration platform. All material on this collaboration platform is the property of the contributing authors. All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.